Simple Firewall Issue - hopefully
-
btw, i can see you are busy on the forum, so i apologise for my incompetence.
-
1/ No, you cannot use URL in firewall rules.
2/ You cannot use IP address to access webserver with mass vhosting on a single IP.
3/ Fix your DNS so that is resolves and you can use proper FQDN/URL to access the website! You need to allow TCP/UDP with destination port 53 to any DNS server you have configured on your client.
4/ Squid? Why don't you just pull the cable when not in use. Really. Or pay for your own IP. -
Thanks.
1/ No, you cannot use URL in firewall rules.
2/ You cannot use IP address to access webserver with mass vhosting on a single IP.
3/ Fix your DNS so that is resolves and you can use proper FQDN/URL to access the website! You need to allow TCP/UDP with destination port 53 to any DNS server you have configured on your client.
4/ Squid? Why don't you just pull the cable when not in use. Really. Or pay for your own IP.i've configured the DNS locally and it all works fine, exactly how i want it.
how/why does the firewall not give the DNS to my client, or how can i make that happen.
it works without the block.
-
Which part of "you need to allow TCP/UDP with destination port 53 to any DNS server you have configured on your client" is exactly unclear??? When you block DNS traffic then it won't work. Why are you configuring ridiculously restrictive firewall rules without understanding the basics?
-
Firewall rules are processed top-down. Your users are never going to go anywhere when rules #2,3 prevent all Internet access from LAN. You need to put your Allow rules first and then all else can be blocked by the hidden Default Deny rule.
Delete rules 2,3,4,7,8 & set remaining rule's protocol to TCP/UDP and you should be done and working.
-
Which part of "you need to allow TCP/UDP with destination port 53 to any DNS server you have configured on your client" is exactly unclear??? When you block DNS traffic then it won't work.
Why are you configuring ridiculously restrictive firewall rules without understanding the basics?not sure if you are trying to help or just be a c*nt :)
I set the DNS on the client in the nework config for the connection. This allowed it to work.
I allowed all tcp/udp to google DNS as i posted earlier.Where else would I start - this is understanding the basics.
–
@KOM:
Firewall rules are processed top-down. Your users are never going to go anywhere when rules #2,3 prevent all Internet access from LAN. You need to put your Allow rules first and then all else can be blocked by the hidden Default Deny rule.
Delete rules 2,3,4,7,8 & set remaining rule's protocol to TCP/UDP and you should be done and working.
Thanks for the response.
This solved the issue perfectly and simply.
-
Glad you got it working ;D
-
Where else would I start - this is understanding the basics.
I meant firewall basics. Apparently not the case with you.
-
What for is the alias when the IP will never change?
This isn't the first time you have shit on people for using aliases. I can't believe that someone who knows DNS as well as you do is baffled as to why people would use an alias for a single IP address. I have all kinds of single IP aliases because I find it much easier to read for myself and anyone who might take my place. So much easier to read DNS_Server than 10.11.34.6 and know what's going on. Yes, I'm sure that there are supermen network admins who can memorize an entire class C subnet but that's not me.
-
@KOM:
So much easier to read DNS_Server than 10.11.34.6 and know what's going on.
Yeah. Because the description column does not fit on the screen. I guess you are leaving the descriptions empty, exactly like OP.
-
I guess you are leaving the descriptions empty, exactly like OP.
I do both. I prefer to have the Source/Target obvious without having to read a description, but I also add a description to make it even clearer for others. I simply find it faster to understand the rule using the alias than by scanning the rule and then reading the description. You are saying that one way is wrong and one way is right. I say let people work the way they want without mocking them for it.
